TLS: An examination into the Security of the Internet, Part 2
TLS, more often referred to as SSL, is the means by which a secure connection is established over a computer network. Part 1 examines how to establish a secure connection using TLS. This article examines further the techniques and technology that makes TLS secure. Specifically, a brief examination of certificates, cipher suites, and public-key authentication.
A certificate is a vessel for a domain to provide authentication information. More specifically, and perhaps most importantly, a certificate is the package which transfers a key. TLS relies entirely upon Public-Key Authentication to setup a secure connection. The challenge with Public-Key Authentication is often sharing keys in a verifiable and secure manner. This is to say that, despite public keys being public, you still need to verify the owner of the key. This is where certificates, and Certificate Authorities come in. Each certificate is tailored to a specific domain. It includes not only the public key for a user to connect to the server with, but also meta-data about the certificate: a UUID, and information about the Certificate Authority; a signature authorizing the certificate, as well as the encryption used for the signature; a thumbprint of the key, and details of the algorithm used to hash the key; and a purpose for the certificate. Certificates may contain additional details, but the aforementioned list is required.
A Certificate Authority (CA) is a trusted third-party repository of signed keys. The purpose of a CA is very specific: verification. A CA will generate and issue a key-pair to a domain. The domain can then share the public key using a certificate. How specifically a CA verifies the domains and keys is out of scope of this discussion, but Wikipedia provides many details on the techniques used.
A cipher is the algorithm used to encrypt information. Ciphers are incredibly complex mathematical formulae, and are well beyond my understanding. However, it is important to note that the strength of a key is only as strong as the cipher suite used to generate it. Likewise, the strength of a certificate is only as strong as the cipher used to sign it. Keep this in mind when you generate and work with keys.
The most important part of TLS is public-key authentication. I would argue that public-key authentication is one of the most important facets of the technical world. Because of this, I want to recap in more general terms how public-key authentication works:
- Two parties want to establish a secure connection.
- Each party generates two keys: one to share publicly, one to keep secret.
- Each party then shares their public keys.
Now, whenever one of the two parties wants to securely communicate with the other, they "sign" (encrypt) the communication with their private key. The second party can then use the public key of the first party to verify the identify of the sender, and decrypt the message.
Security is a very deep and involved topic, but one I feel every Sys-Admin should know a bit about. While these posts are only meant to serve as a high-level overview of TLS, there are many more-detailed sources available. I would suggest a visit to your local Wikipedia as a good first step. Thanks for reading.
- Wikipedia: Public-key Cryptography
- Stack Exchange: How is it possible that people observing an HTTPS connection being established wouldn't know how to decrypt it?
- Stack Exchange: How Does SSL/TLS work?